Bit of fun this weekend by looking at how Mastodon actually works under the hood. The "federation" part is really interesting, but also highlights how other servers may not be trusted.

Take for example this user (should be cached on infosec.exchange):

@fakexpn

If you click on the user via the web interface, you'll see that the account has insta-influencer status, without all the shit-posting and self-meme'ing..

This is of course is all by design, as part of ActivityPub. When we reference another account on another server, the "federation" part of the protocol kicks in and requests information on the account. This means that on the server we control, we can set as many followers as we want (as well as post count and basically anything else we want) by returning a "totalItems" value of 99999999 in the followers ActivitySteam JSON.

tl;dr, Factor in trust of servers when using Mastodon (and stop using follow count as a metric!)